5 Things You Should Know about the General Data Protection Regulation
Most people give their blind trust to tech giants when it comes to security and their own privacy. They figure that such big technology companies would know what they are doing and that they have the best technical professionals under their employ. Not even the data breaches involving some of the biggest names in business, such as Adult Friend Finder, Equifax, JP Morgan Chase, Yahoo, Target, Adobe, and Sony, can shake that faith. For most, they see these security lapses as isolated events.
However, the protection of personal data has once again been the hot topic since Facebook came out and admitted that they bungled how they handled their users’ personal data. Suddenly, the social networking giant was under fire and facing mounting criticisms coming from users after the painful truth was revealed.
The truth is that your personal and private data are not safe, even at the hands of Google, Facebook, and Microsoft. And the European Union recognizes that, which is why they have come up with the General Data Protection Regulation (GDPR).
The GDPR is a set of rules that would govern how EU countries should protect the personal data of their citizens. It will take effect in May 2018.
What are the things you need to know about EU’s GDPR law?
1. What is the General Data Protection Regulation for?
The General Data Protection Regulation has three main aims. These are:
- To make data privacy regulations uniform all across the European Union. This is to ensure that the protection of private, confidential, and personal data of all EU residents are taken care of.
- To give EU citizens a greater degree of control with regards to how their data are used and stored.
- To control how private and personal information are transmitted outside the European Union.
Understanding these aims is a good start towards compliance. A user’s personal data can include name, address, religion, social media posts, biometric data, and other personally identifiable information.
Also, you should know that the GDPR will replace older laws, such as the Data Protection Act in the United Kingdom and the Data Protection Directive by the EU. The new law has more teeth and everyone who is based in the EU or has business relationships with EU citizens will be bound by it.
In a nutshell, what does the GDPR say? Personal data should be:
- Lawfully and transparently processed
- Collected only for lawful uses
- Collected only when relevant or necessary
- Accurate and updated
- Stored only when necessary
- Kept confidential and secure
2. It may still apply to you even if you do not have operations in Europe.
If you think that GDPR laws would not cover you because you do not have offices in the European Union, you are quite mistaken. As long as you have interactions with any EU resident, you would need to comply with the GDPR. In fact, all nonprofit organizations, government agencies, and businesses with a customer or supplier from the EU would need to brush up on the law.
This means that you should not ignore GDPR and it means that you should not underestimate the data you have from the EU.
To illustrate this point, if you are a hospital in Canada and you have a Czech patient, you will still be subject to GDPR.
3. If you feel that you are not ready for the General Data Protection Regulation, then it might be a consolation to know that you are not alone.
The General Data Protection Regulation was approved close to two years ago, in April 2016. Yet, very few companies are ready for it.
According to a study published by the government of the United Kingdom, a majority of UK companies are aware of the GDPR, with 37% being very aware and 45% being somewhat aware of the new rules. However, only around one in every 17 companies is fully prepared for the new rules. Then around 71% are somewhat prepared for it.
4. Ignoring GDPR could cost you a lot of money.
GDPR has a lot of guidelines and it can also levy a sizable fine for violators. For instance, you will pay a lot of money in fines if you fail to notify proper authorities of any data breaches that happen within 72 hours.
How big is this fine? Violators can face monetary charges of up to 4% of their annual sales. Just imagine, if Amazon Web Services fails to notify the proper authorities about a data breach within 72 hours that it happened, the company could face fines of up to $698.36 million, based on their 2017 revenue of $17.46 billion.
If your yearly sales are not high enough, you could be fined a maximum of 20 million euros, or around $24.67 million.
In some instances, companies should also notify affected persons about the breach.
5. Is there any company that can help you with the General Data Protection Regulation?
No matter how you look at it, the General Data Protection Regulation is a law and it involves legal jargon. If you do not have the time or expertise to read through the law and find out what it requires, then there is help for you. There are several compliance consultants that you can work with, ensuring that you are fully kosher with the new law. These service providers can help guarantee that your company and your IT infrastructure are up to speed with the new law.
Additionally, there are now insurance companies that can insure you in the event of online attacks. One example of these insurance firms is the Beazley Group, which is headquartered in London.
The Beazley Group currently offers the Beazley Breach Response, which is just perfect for small businesses and mid-sized enterprises. The company will take care of conducting the initial probe if you encounter a data breach, and they will be the ones who will send out notifications to the people who are affected by the breach, among other things.
Photo courtesy of Dennis van der Heijden (Flickr).